Objective

Plain-text of any user file stored on the internal SSD must be decryptable only by a key derived from a user-supplied passphrase; the OEM must not possess that passphrase or any escrow blob.

(no term)

Key-result ::  Dump the LUKS header and verify that every key-slot is protected by PBKDF2+passphrase and that no cleartext recovery key exists.

Test:

cryptsetup luksDump /dev/nvme0n1p2 | jq -r '.keyslots[].type' | uniq

Expected output:

["pbkdf2"]

calebc42@debian-laptop:~$ sudo cryptsetup luksDump /dev/nvme0n1p2 | jq -r '.keyslots[].type' | sort -u -bash: jq: command not found [sudo] password for calebc42: Device /dev/nvme0n1p2 does not exist or access denied. calebc42@debian-laptop:~$